WhatsApp flaw leaves users open to spying

News by Tim Ring

Global messaging service WhatsApp, now part of Facebook, has owned up to a security flaw which leaves it open to man-in-the-middle (MiTM) attacks.

The vulnerability was discovered recently by the US University of New Haven's Cyber Forensics Research & Education Group (UNHcFREG).

Researchers found that when WhatsApp users share their location data, it is left unencrypted and can be intercepted through a rogue access point or a man-in-the-middle attack. A video on how it's done using the NetworkMiner network sniffing tool running on Windows is available here.

Commenting on the problem in an April 19 blog post, Sophos senior security advisor Paul Ducklin said that this kind of flaw could be of interest to intelligence services.

He said: “We've written before about one group of ‘attackers' who happily make hay while mobile apps shine forth their data, namely the intelligence services. And we've written about how hard it is to judge whether special-purpose mobile apps - such as those for banking - should be considered safe to use at all. WhatsApp, sadly, yet again joins the list of mobile apps that simply didn't get it right.”

The UNHcFREG researchers advise users: “Do not share your location on WhatsApp until this issue is fixed.”

As for business security professionals, Ducklin believes the flaw should not present a problem. However, he told SCMagazineUK.com via email: “It's disconcerting to find that an app that makes big claims about privacy would give away information where you might reasonably expect it not to. One wonders why WhatsApp didn't just use public key cryptography over a secure connection - TLS, often known as HTTPS.”

WhatsApp is a popular mobile phone app that enables users to send text messages for free. The company was acquired by Facebook for around £11.3 billion ($19 billion) in February, and last month CEO Jan Koum blogged that “respect for its users' privacy is coded into our DNA”.

However, the location flaw is the latest in a series of privacy problems faced by the company.

Koum's blog was in response to accusations by two US privacy groups, the Electronic Privacy Information Center and the Center for Digital Democracy, that the Facebook takeover should be invalidated because WhatsApp's privacy policy was incompatible with that of the social networking giant.

Last month, SC UK also reported a flaw that enabled WhatsApp users' “private” messages to be intercepted through downloaded Android apps.

Ducklin at Sophos has also highlighted previous “security blunders” WhatsApp made in its attempts to use symmetric encryption and to knit its own session-based cryptography.

The company has said it will fix the location bug in the next release across its different mobile phone platforms, telling the UNHcFREG team when they reported the bug: "We have already implemented this solution in the latest beta versions of our app. We will be rolling this fix out to the general public with the next release on each platform.”

Security specialist Dan Drummond, a technical consultant with Apadmi, told SCMagazineUK.com that the problem “shows just how much care app developers need to take in what services apps use, and how they use them. Fortunately this time, this leakage of personal information only happens if a user actively shares their location, and users can stop using this feature until the problem is fixed.

“App users are becoming increasingly aware of privacy and security issues surrounding their personal data, and app developers are going to need to prove they can be trusted with users' sensitive data.”

SC contacted WhatsApp to ask when the fix would be released, but had not received a reply by time of writing.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews